15 February 2017

How to deal with a data protection breach

Regardless of how diligent you are in complying with the 8 principles of data protection, we always recommend that you have a Data Protection Breach Action Plan in place. Remember that some breaches are out of your control, and an Action Plan will provide you, and your employees with guidance you can follow in the event that you find yourself in breach.

The Information Commissioners Office (“ICO”) can impose a fine of up to £500,000, even if the breach is not your fault.

In order to comply with principle 7, you must provide your data subjects with adequate protection from cyber-attacks, which is not easy. You will no doubt recall the cyber-attack on TalkTalk in 2015, which resulted in a £400,000 fine from the ICO, or the Sony hacking scandal in 2013 which cost the company £250,000 in fines.

TalkTalk received a great deal of criticism with regards to the way they handled their cyber-attack and data breach. The ICO, and TalkTalk’s customers, were more concerned by the company’s response to the data breach, rather than the actual release of data itself. This is a good illustration, of how important it is to have a stringent action plan in place to protect your business and your reputation, in the event of the worst case scenario.

Based on the ICO’s guidance on managing a security breach, we have devised a short strategy, of 5 key steps you should take when faced with a data protection breach…

Step 1. Investigate

A prompt and thorough investigation needs to be undertaken as soon as you are made aware of a data breach. You need to swiftly identify the following:

The nature of the breach; this involves consideration of how your data was accessed. Was it in physical or electronic form, and how was it transferred? It could be that your system was intentionally hacked or perhaps the data was released by accident.

The data which has been accessed; next you should ascertain whose data has been released. Is the data personal to your customers or clients, or maybe it relates to your business/employee information? You should also consider who now has access to the data. Is it an unknown third party, a different part of the business, or other data subjects? It might be that you do not know if anyone actually has access to the data… but should consider who might be able to access it.

The extent of the damage and the extent of the potential damage; you might not know what the recipient of the information is planning to use the information for, but consider what could happen with it should it get into the wrong hands, and what might this mean for your data subjects? Consideration of how much data has been released, and how many data subjects are affected will also indicate the severity of the breach.

A thorough investigation should always be your first step. There is little to gain in taking any steps to stop the release of information until you know exactly what has happened and understand the nature and extent of the breach.

Step 2. Take Action

Once you are confident you have as much information as you can gather, you can start to take steps to stop the release of data. What you can do will obviously depend entirely on the circumstances. It may be too late, there may be little you can do once the data is out there but the ICO will request proof that you have made some attempt to stop the release of data, or at least to stop the breach escalating further.

Depending on the nature of the breach, if the data has been passed electronically, it could be that you are able to recall the data, perhaps change passwords or login codes, or even take more drastic action such as the shutting down of servers. If the data has been physically transferred, you may be able to collect it, redact particular details or trace and seek the physical return of the information.

Step 3. Notify

Next you need to consider who needs to be notified of the breach. Its good practice, as far as the ICO is concerned, to report the breach to them as soon as you can, particularly if the breach in question is of a serious nature, i.e. if a lot of data is released or if the data is particularly sensitive. There is also always the risk that someone else will notify them for you so you need to be a step ahead

Depending on your sector, it may be a legal requirement that you inform your regulatory body, if you have one, of the breach; those in the healthcare sector are subject to particularly strict reporting rules.

Sometimes insurance policies also require you to inform your insurer of any data protection breach, and failing to do so may invalidate your insurance. We would recommend notifying your insurers of the breach regardless, in case there are resultant claims. Under principle 6 data subjects are entitled to receive compensation if their data is released without their consent.

Informing your data subjects of the breach means they can change passwords, or cancel accounts, and minimise the consequences of the breach. The ICO acknowledges however that there are some breaches which will not require immediate notification in their Breach Management Guidance. Whether to notify your data subjects will depend entirely on the nature of the breach, the type of information that has been released and of course the potential possible consequences for your data subjects.

Step 4. Is Disciplinary Action needed?

The data breach might have been completely out of your company’s control, but more often than not, there has been some action, or inaction on the part of one of your data processors or employees, which had led to the data breach.

Consider whether the problem lies within your organisation, i.e was the employee properly trained? Was the opportunity for training there? Is there a problem with your internal policies and procedures or equipment and IT which has allowed for the breach to take place.

If not, perhaps you need to consider whether disciplinary policies require you to investigate the employees conduct further, and take action such as suspension or dismissal. This will depend on the severity of the breach, and the individual set of circumstances surrounding it.

Step 5. Audit!

Once you have investigated the breach, taken what action you can to minimise the consequences, notified the relevant parties and taken the disciplinary action necessary, following a data breach you should then consider how to improve, and prevent a breach happening again.

Whilst it may have been caused by a factor outside of your control, a one-off occurrence

It’s advisable to undertake a full audit of your current system for collecting and storing data, and your security policies and procedures. It’s important that you identify what action should be taken, particularly if the ICO is involved in an investigation, as they may request evidence of this.

Carrying out a proper audit will prevent the same mistakes from being made again! One of the key criticisms of TalkTalk was that the breach in question as one of many.